[xmlsec] xmlsec returns error when trying to validate SAML response

Artur Rychlewicz artur513 at outlook.com
Wed Mar 2 08:27:54 PST 2016


OK, that changes the output, but it is still not validating:
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=249:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "/tmp/test-new.xml"

I have generated SAML response moment before invoking command with --id-attr that you provided, so the response itself was still valid (not obsolete).
Artur
> Subject: Re: [xmlsec] xmlsec returns error when trying to validate SAML response
> To: artur513 at outlook.com; xmlsec at aleksey.com
> From: aleksey at aleksey.com
> Date: Wed, 2 Mar 2016 07:58:51 -0800
> 
> It should be
> 
> --id-attr:ID urn:oasis:names:tc:SAML:2.0:protocol:Response
> 
> Aleksey
> 
> On 3/2/16 1:24 AM, Artur Rychlewicz wrote:
> > Yes, i have tried this, but it didn't help at all.
> > 
> > Commands (judging from printed stack trace, they're equivalent):
> > xmlsec1 --verify --id-attr:ID saml2p:Response test.xml
> > xmlsec1 --verify test.xml
> > 
> > XML file (trimmed, but you'll get the idea):
> > <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> >                  ID="uuid-fb4f8863-062c-41bd-95d9-dc7f77ccf453">
> >     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >         <ds:SignedInfo>
> >             <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> >             <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> >             <ds:Reference URI="#uuid-fb4f8863-062c-41bd-95d9-dc7f77ccf453">
> >                 <ds:Transforms>
> >                     <ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> >                     <ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> >                 </ds:Transforms>
> >                 <ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> >                
> > <ds:DigestValue>lAcsILQxRk4LvbSfREkypyI6gMc=</ds:DigestValue>
> >             </ds:Reference>
> >         </ds:SignedInfo>
> >         <ds:SignatureValue>gT/SeC..bjrQ==</ds:SignatureValue>
> >         <ds:KeyInfo>
> >             <ds:X509Data>
> >                 <ds:X509Certificate>MII..A==</ds:X509Certificate>
> >             </ds:X509Data>
> > ..
> >         </ds:KeyInfo>
> >     </ds:Signature>
> > 
> > According to FAQ, I should have declare name of ID element, but in my
> > case it is "ID". And yet, it still does display the error. Following the
> > FAQ, point 3.4 states that I am probably using Visa 3-D files, but
> > again, that is not an option here.
> > 
> > It's highly likely that I just do not understand *how* to use xmlsec1
> > and doing it plain wrong. That said, please take a look and check where
> > am I wrong.
> > 
> > Artur
> > 
> >> Subject: Re: [xmlsec] xmlsec returns error when trying to validate
> > SAML response
> >> To: artur513 at outlook.com; xmlsec at aleksey.com
> >> From: aleksey at aleksey.com
> >> Date: Tue, 1 Mar 2016 09:30:18 -0800
> >>
> >> FAQ, section 3.2 (if I recall correctly).
> >>
> >> Aleksey
> >>
> >> On 3/1/16 8:57 AM, Artur Rychlewicz wrote:
> >> >
> >> >
> >> > Hello,
> >> >
> >> > I've been trying to use xmlsec1 to validate signed XML response
> >> > containing SAML data.
> >> >
> >> > When I execute:
> >> >
> >> > xmlsec1 --verify test.xml
> >> >
> >> > I receive following stack trace:
> >> >
> >> >
> > func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
> >> > library function
> >> > failed:expr=xpointer(id('uuid-73c06e86-88d2-4204-91f4-3d484bc782cc'))
> >> >
> > func=xmlSecXPathDataListExecute:file=xpath.c:line=373:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
> >> > library function failed:
> >> >
> > func=xmlSecTransformXPathExecute:file=xpath.c:line=483:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
> >> > library function failed:
> >> >
> > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2411:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
> >> > library function failed:
> >> >
> > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1242:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
> >> > library function failed:transform=xpointer
> >> >
> > func=xmlSecTransformCtxExecute:file=transforms.c:line=1302:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
> >> > library function failed:
> >> >
> > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1589:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
> >> > library function failed:
> >> >
> > func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=822:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
> >> > library function failed:node=Reference
> >> >
> > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=563:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
> >> > library function failed:
> >> >
> > func=xmlSecDSigCtxVerify:file=xmldsig.c:line=382:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
> >> > library function failed:
> >> > Error: signature failed
> >> > ERROR
> >> > SignedInfo References (ok/all): 0/1
> >> > Manifests References (ok/all): 0/0
> >> > Error: failed to verify file "test.xml"
> >> >
> >> > I do not know how XML signatures work, but I presume that the ID was
> >> > taken from <saml2p:Response> tag which contains ID with value of
> >> > "uuid-73c06e86-88d2-4204-91f4-3d484bc782cc". <saml2p:Response> element
> >> > contains <ds:Signature> element which in turn contains <ds:Reference>
> >> > with parameter URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc".
> >> >
> >> > Since I do not need this value/data, I'd like to check signature of
> >> > <saml2:Assertion> element which also contains it's own
> > <ds:Signature> value.
> >> >
> >> > That said, I'd like to ask you for instruction how to validate element I
> >> > need. Thank you in advance.
> >> >
> >> > Best regards,
> >> > Artur Rychlewicz
> >> >
> >> >
> >> > _______________________________________________
> >> > xmlsec mailing list
> >> > xmlsec at aleksey.com
> >> > http://www.aleksey.com/mailman/listinfo/xmlsec
> >> >
> > 
> > 
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> > 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20160302/ff64e0ab/attachment.html>


More information about the xmlsec mailing list